Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Q&A with Hogan Lovells on Security in the EU GDPR

shutterstock_182474909Earlier this week, Bret Cohen and Sian Rudgard from the Hogan Lovells Privacy & Cybersecurity practice were interviewed as follows by Varonis’ The Inside Out Security Blog about data security requirements in the EU General Data Protection Regulation (GDPR).

Continue Reading

Posted in Cybersecurity & Data Breaches

New York State Proposes Cybersecurity Regulation for Financial Services Institutions

shutterstock_71527090On September 12, New York Governor Andrew Cuomo broke new ground in proposing a state-level regulation that would require banks, insurance companies, and other financial services entities regulated by the New York Department of Financial Services (“NYDFS”) to establish formal cybersecurity programs.

Continue Reading

Posted in International/EU Privacy

Russian Data Localization Update: A Year In

shutterstock_387241471It has been a year since Russia’s data localization requirement came into force in September 2015, requiring companies to store within Russia databases containing personal data they collect from Russian citizens. Exactly one year later, the Russian Data Protection Authority, Roskomnadzor, issued a news release (in Russian) on the first year of enforcement.

In the update, Roskomnadzor stated that an absolute majority of the inspected companies comply with the data localization requirement and that noncompliance is low.

Continue Reading

Posted in International/EU Privacy

Philippines Finalizes Data Privacy Act Implementing Rules

shutterstock_230063500The Philippines Data Privacy Regime

The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012 (the “Act“), took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission (“NPC“) to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act (“IRRs“). Following a period of public consultation, the IRRs were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.

Continue Reading

Posted in Cybersecurity & Data Breaches

FTC Highlights How Agency’s Approach to Data Security Aligns with NIST Cybersecurity Framework

shutterstock_346593215The Federal Trade Commission (FTC) recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 by the National Institute of Standards and Technology (NIST) and strongly endorsed by the White House.

The FTC’s recent blog post on “The NIST Cybersecurity Framework and the FTC” frames its discussion around the frequently asked question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”

The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist.  Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program. Continue Reading

Posted in Consumer Privacy

The Federal Aviation Administration’s De Facto Drone Privacy Standards

shutterstock_376067443On August 29, 2016, the Federal Aviation Administration’s (“FAA”) long-awaited small unmanned aircraft systems (“UAS” or “drone”) rule went into effect, for the first time broadly authorizing commercial drone operations.  This is a positive step, as drones have great safety and efficiency benefits for the public.  Nevertheless, the American public remains concerned about drone privacy issues.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity September 2016 Events

Please join us for our September 2016 Privacy and Cybersecurity Events.

September 1
Internet of Things Strategy
Julie Brill will speak on “The Role of Government in IoT: Do We Need a National Strategy?” at the U.S. Department of Commerce’s Internet of Things Workshop.
Location: Alexandria, Virginia


September 5
Brexit and UK Data Protection Policy
Hogan Lovells will be hosting a roundtable discussion with representatives of the UK government to discuss Brexit and UK data protection policy.
Location: Hogan Lovells’ office in London


September 12
Cybercrime Compliance
Christian Tinnefeld will discuss compliance management requirements relating to new anti-cybercrime regulations at a Financial Experts Association event.
Location: Hamburg, Germany


September 15
Data and Business
Scott Loughlin will participate in a breakout session on “Privacy and Cybersecurity: A Big Deal for Big Deals” at the IAPP P.S.R. Conference.
Location: San Jose, California


September 16
Privacy Shield and National Security
Julie Brill will moderate a panel on “Privacy Shield and Its National Security Implications” at the IAPP P.S.R. Conference.
Location: San Jose, California

Continue Reading

Posted in Consumer Privacy, Financial Privacy

FTC Seeks Public Comment on Safeguards Rule

FTC-Logo-300x300[1]The FTC today announced a request for public comment on the Standards for Safeguarding Consumer Information Rule (the Safeguards Rule). The FTC promulgated the Safeguards Rule in 2002, implementing Title V of the Gramm-Leach-Bliley Act (GLBA), which required federal agencies to establish standards for the administrative, technical, and physical safeguards employed by financial institutions for certain information. In addition to general requests for comment, the FTC requested that five specific issues be addressed, which we have outlined below. Comments are due by November 7, 2016. Continue Reading

Posted in Health Privacy/HIPAA

FPF Releases Guide for Consumer Wearables and Wellness Apps and Devices

shutterstock_363729734 CROPOn Wednesday, August 17, 2016, the Future of Privacy Forum (FPF) released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles (FIPPs)-based trust framework that builds on existing legal expectations to provide a set of best practices designed to result in providing appropriate protections in light of the nature and sensitivity of the data.

Continue Reading

Posted in Consumer Privacy

Deirdre Mulligan, Hogan Lovells, Discuss Relations Between Tech Community and Government at Silicon Valley Dinner

91898939_mainOn July 25, 2016, Hogan Lovells hosted a Silicon Valley dinner as part of its 2025 dinner series. The theme of the dinner was “I’m from Mars, You’re from Venus: The Tech Community and its Future Relationship with Government”.  The discussion, moderated by Deirdre Mulligan of UC, Berkeley, focused on the tech community’s view of regulatory, law enforcement and national security issues, here in the U.S., as well as in Europe; and how the tech industry will be impacted by the upcoming U.S. elections as well as Brexit.

Continue Reading